projet dnsprivacy-monitoring

I’ve discovered 4 important security vulnerabilities in OpenVPN. Interestingly, these were not found by the two recently completed audits of OpenVPN code. Below you’ll find mostly technical information about the vulnerabilities and about how I found them, but also some commentary on why commissioning code audits isn’t always the best way to find vulnerabilities.

Open DNS resolvers that answer queries coming from anyone have been the main component of a large number of DDoS attacks in recent years.

Le 10 mai, Cedexis a subi une large attaque DDoS. Plusieurs médias français, qui s'appuient sur ses services, étaient inaccessibles une partie de la journée. Un baptême du feu pour la jeune pousse, qui revient pour nous sur cet événement.

Fast, free and open-source spam filtering system

DNSSEC Trace & Analyzer Tool

Maybe Skip SHA-3

Aeris, que vous suivez peut-être sur Twitter et qui s'occupe entre autres des Cafés Vie Privée a mis en ligne sa conf sur l'Hygiène numérique à destination des administrateurs système.

HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.

This is a new and revised version of the classic PF tutorial, with added content covering more topics related to networking, and with additional exercises to put the knowledge in practice.

On vient de nous proposer d’écrire un court texte pour le Mobile Ecosystem Forum à propos de l’attaque Wannacry, ce virus qui chiffre votre disque dur et demande une rançon en échange. L’article vient d’être publié en anglais, mais nous nous sommes dit qu’une version un peu plus étoffée et en français pourrait intéresser la communauté Cozy Cloud.

This penetration testing tool allows an auditor to intercept SSH connections. A patch applied to the OpenSSH v7.5p1 source code causes it to act as a proxy between the victim and their intended SSH server; all plaintext passwords and sessions are logged to disk.

Lors d'une discussion avec un Officier de Police Judiciaire, celui-ci me demandait comment faire une analyse de disque dur sans budget logiciel, tout en garantissant un bon niveau d'investigation.

Quarkslab was hired by OSTIF to perform a security assessment of OpenVPN 2.4.0. We focused on code and cryptography assessment. Results are briefly described in this blog post, and full report is available at its end.

Never configure nginx with the resolver directive pointing to a resolver on the Internet like Google Public DNS, OpenDNS, or your ISP’s resolver. Many nginx users make this exact mistake.

ssh_scan is an easy-to-use prototype SSH configuration and policy scanner for Linux and UNIX servers, inspired by Mozilla OpenSSH Security Guide, which provides a reasonable baseline policy recommendation for SSH configuration parameters such as Ciphers, MACs, and KexAlgos and much more.

Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren't taken.

I was recently invited to take part in some research by BBC Click, alongside Professor Alan Woodward, to analyse a device that had quite a lot of people all excited. With slick marketing, catchy tag lines and some pretty bold claims about their security, nomx claim to have cracked email security once and for all. Down the rabbit hole we go!

Par définition, un serveur est accédé de manière distante. C’est à dire qu’on doit pouvoir l’administrer sans être physiquement devant. Alors qu’il soit dans un datacenter à l’autre bout du globe ou dans le grenier de la maison, SSH nous permettra de gérer tout ça depuis notre ordinateur de bureau (ou laptop).

I found on Twitter an interesting blog post on breaking (EC)DSA and was writing a lengthy comment when some weird combination of keystrokes shutdown my browser and ate my comment, so I thought I'd write a blog post instead.